Contents

What is Cyrus-SASL ?

SASL is a protocol to manage authentication between clients and servers. It is used in messaging to authenticate clients to smtp pop3 imap ldap servers. SASL is specified in RFC 2222 (Simple Authentication and Security Layer). SASL defines how authentication information is exchanged, but lets other specifications define the authentication methods really used.

Among these, CRAM-MD5 and its successor DIGEST-MD5 use a shared secret (a password) and a challenge that affords proving that the other side owns the password without actually needing to send it over the wire. GSSAPI is the method for KERBEROS V5. PLAIN use a plaintext password. Microsoft Outlook Express uses only proprietary methods, LOGIN uses a base 64-coded plaintext password, NTLM is the Microsoft NT Lan Manager Authentication and SPA stands for secure password authentication.

Cyrus-SASL, an Open Source software developped by the Carnegie-Mellon University, implements the standard methods, and also includes plugins to handle proprietary authentication methods such as Microsoft NTLM/SPA.

Cyrus-SASL offers several options to check the real passwords. saslauthd affords using the saslauthd daemon to check cleartext-only passwords against PAM (the system passwords and /etc/shadow), LDAP, Kerberos, and others. auxprop affords using external modules for passwords stored in an external SASLdb (using Berkeley db) or SQL database, or in an LDAP directory.

Installing Cyrus-SASL

Download, untar to /usr/local then install as below. The authentication methods used are CRAM-MD5 (needed? for Thunderbird), DIGEST-MD5, PLAIN, LOGIN (needed for Microsoft Outlook Express), the password checking methods used are saslauthd (with PAM or LDAP) and ldapdb. There's support for OpenSSL (not sure if this is used as SASL includes its own encryption routines), and random number generation uses /dev/urandom to avoid authentication severe slowdowns observed when using /dev/random (but should not be used for OTP of SRP).

Reinstalling OpenLDAP

There is a chicken-and-egg problem with OpenLDAP and Cyrus-SASL as they reference each other. At previous chapter we installed OpenLDAP without --enable-spasswd --with-cyrus-sasl. We now reinstall OpenLDAP with --enable-spasswd --with-cyrus-sasl :

Configuring Cyrus-SASL

Applications that use SASL are advised to use an Application.conf file in /usr/lib/sasl2, with a mech_list line defining a subset of the authentication methods defined for the site, and a pwcheck_method line defining the password checking method. If all authentication methods defined for the site can be used by the application then it is not necessary to use mech_list. log_level is between 0 and 7 (default 1, log unusual errors) and defines the verbosity of the logs produced under /var/log in files auth.log, debug, maillog and syslog.

Known issue

Applications using SASL authentication (e.g. OpenLdap, Cyrus-IMAP) expect to find a GuessMyName.conf file in /usr/lib/sasl2 to work properly. If this file cannot be found, there will be messages _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: in /var/log/debug and auxpropfunc error invalid parameter supplied in /var/log/syslog. To find the name of the missing file, re-make install SASL after adding line _sasl_log (NULL, SASL_LOG_ERR, "File %s missing\n", filename); in lib/config.c just after the call to fopen. Known SASL configuration filenames are :

Cyrus.conf

INN.conf

Sendmail.conf

slapd.conf

Using saslauthd

An Application.conf file to use saslauthd could be :

log_level: 0
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd

Specify the saslauthd options in file /etc/rc.d/rc.saslauthd. -a ldap affords using ldap and -n is the number of waiting processes. Put 0 to create authentication processes only on demand. chmod u+x /etc/rc.d/rc.saslauthd to afford automatically launching saslauthd at startup. For more saslauthd options, see the man saslauthd page.

Note : as already noted above when introducing the password checking methods, saslauthd affords using only cleartext passwords (even if it uses digest-md5 when talking to slapd). So only the PLAIN and LOGIN mechanisms can be used with saslauthd. For security, any such connection should be encapsulated within SSL or TLS when used over the wire.

Using sasldb

sasldb affords storing a list of users/passwords in the /etc/sasldb2 password database. The tools to maintain this database are sasldblistusers2, that affords listing the users, and saslpasswd2, that affords adding or removing users/passwords. For more options, see the man pages. Note : when creating users, it might be necessary to append the domain name for the password checking to work.

Using ldapdb

This is our preferred method, as it affords using the LDAP directory as a single and direct (saslauthd is not needed when using the ldapdb auxprop) source of authentication for all applications. We will use it later in this document for Sendmail and Cyrus-IMAP authentication. The PLAIN mechanism will be used together with encryption so as not to let authentication information to circulate in the clear. An Application.conf file to use ldapdb is as below :